Please sync dtc-xen from SID

Binary package hint: dtc-xen

Hi,

I'm the upstream AND maintainer of dtc-xen, a software to do Xen VPS hosting. I have recently discovered a security issue (race condition) in my software, made by my former employee. Let me explain what happened.

DTC is the web interface for DTC-Xen, and connects it using SOAP over HTTPS. Each customer that runs a VPS has a user shell account in the dom0 in order to run:

xm console xenXX

where XX is the number of the VPS in the dom0 (not the dom-ID, just something internal in DTC).

To do this, each time a new VPS is instantiated, a new system user is created, with a special shell that has the following:

#!/bin/sh

echo "Welcome to dtc-xen ssh console!"
sleep 1

if [ -n "$1" ]; then
        echo "Sorry, no shell commands allowed"
        exit 1
fi

sudo /usr/sbin/xm console $USER

No problem here, except that the first time a user is created, it was given a bash shell for a short while, which should never have been the case. It was as follow:

if ${GETENT} passwd xen${VPSNUM} >/dev/null ; then
        echo "User xen${VPSNUM} already exists: skipping creation!"
else
        if [ -x /usr/sbin/useradd ] ; then
                if [ ! -x /bin/bash ] ; then
                        echo "Could not find the bash shell!"
                        exit 1
                fi
                /usr/sbin/useradd --home "${XEN_USER_HOME}/xen${VPSNUM}"
-m -s /bin/bash -g ${XENUSERS} xen${VPSNUM}
        else
                echo "Cound not find the useradd binary!"
                exit 1
        fi
fi
# Modify an eventual wrong old config
mkdir -p "${XEN_USER_HOME}/xen${VPSNUM}/.ssh"
chown -R xen${VPSNUM}:${XENUSERS} "${XEN_USER_HOME}/xen${VPSNUM}"
usermod -d "${XEN_USER_HOME}/xen${VPSNUM}" -g ${XENUSERS} -s
/usr/bin/dtc-xen_userconsole xen${VPSNUM}

As you can see above, there is a race condition where it is possible to login between the useradd and usermod calls. I believe it would be extremely hard to exploit this issue as:

- dtc-xen also has a dtc-xen-firewall that by default rate limits the ssh logins
- the time between useradd and usermod should be very short
- it will be possible to do this exploit only ONCE after registration, and it wont be possible after the first install of the VPS (as if getent shows the user already exists, it wont be created again).

However, there is still a race condition here, that should be fixed ASAP. Of course, I have changed the -s option of useradd to be
dtc-xen_userconsole directly and not bash temporarily. The new version of dtc-xen is available here:

http://ftparchive.gplhost.com/debian/pool/lenny/main/d/dtc-xen/dtc-xen_0.5.4-1.dsc

This has just been uploaded to Debian SID, and you should update Lucid with it asap.

Note that dtc-xen in Stable (Lenny) is not affected as dtc-xen 0.5.x dtc_reinstall_os has been nearly rewritten from scratch. In Ubuntu, only Lucid is affected. I'll make an announcement within 2 days, when dtc-xen 0.5.4-1 will be going to Debian testing. It would be nice if dtc-xen 0.5.4-1 could go in Lucid before that.

Thanks for your attention,

Thomas